Seattle Information Technology

Statement on Public Disclosure Request Release

Today, the Seattle Information Technology department released the following statement regarding city emails that were inadvertently released through the public disclosure process:

On September 1, 2017 the City of Seattle discovered that portions of certain emails were inadvertently released to a single individual in response to a public disclosure request (PDR). Upon learning about this error from the PDR requester directly, the City of Seattle took steps to work with the individual who received the information and confirmed the records were securely destroyed. Additionally, the individual also confirmed that he had not and would not use, share, transfer or discuss the files.

The disclosure included email header information such as “To:”, “From:”, “CC:”, “BCC”, “Date”, “Time” and the first 255 characters of each email subject and message body of all City emails exchanged between January 1, 2017 and February 17, 2017, as well as emails exchanged between March 30, 2017 and April 4, 2017.

The City of Seattle takes seriously its obligation to protect the privacy of City residents and employees. The City has initiated a project to assess its public disclosure and records management policies, and implement new ones that would prevent an issue like this from occurring in the future.

FAQ regarding statement on public disclosure request release

What happened?

On September 1, 2017 the City of Seattle discovered that a portion of emails sent to/from City employees between January 1, 2017 and February 17, 2017, and March 30, 2017 and April 4, 2017, were inadvertently released to a single individual in response to a public records request. Specifically, the disclosure included email header information, such as “To” and “From” fields, as well as the first 255 characters of each email subject and message body.

Upon discovery, City staff worked with the individual who inadvertently received the email data and confirmed that he did not and will not use the information, and has securely destroyed the records.

This was NOT a breach of any City database that manages personal identifiers, financial information, or other sensitive data.

The City of Seattle takes seriously its obligation to protect the privacy of City residents and employees while meeting its obligations under the Washington State Public Records Act. The City has initiated a project to assess its public disclosure and records management policies, and implement improvements that would prevent an issue like this from occurring in the future.

Is the issue resolved?

Yes, the City worked with the recipient to confirm that he has not used or shared the email and that it has been securely destroyed. The City is also reviewing its procedures and protocols for responding to public disclosure requests, and making changes to those policies and procedures to reduce the likelihood that this situation happens again.

Are my emails exchanged with the City at risk?

No. The City has worked with the recipient to confirm that the emails were securely destroyed.

Was the City hacked?

No, these records were requested properly through the public disclosure process. An inadvertent error resulted in the requester receiving more information than was intended to have been released.

Who and how many people are affected?

The information released included all emails sent to or from City email addresses during the time period 1/1/2017 and 2/17/2017, and 3/30/2017 and 4/4/2017.

What emails did the requestor receive?

Portions of emails exchanged with the City during the time period January 1, 2017 and February 17, 2017, and March 30, 2017 and April 4, 2017. The email information disclosed included the following: “To,” “From,” “CC,” “BCC,” “Date,” “Time,” and the first 255 characters of the email subject line and message body.

Why does the City provide records to the public?

The Washington State Public Records Act (PRA) requires that all public records maintained by state and local agencies be made available to all members of the public, with very narrow statutory exemptions. A public record is defined in RCW 42.56.010(3) as any writing that is prepared, owned, used, or retained by any state or local government agency, and which contains information that relates to the conduct of government, or the performance of any governmental or proprietary function. The term “writing” is broadly defined in the PRA, to include not only traditional written records, but also photos, maps, videos, voicemails, emails, text messages and tweets (RCW 42.56.010(4)). For example, email sent by individuals to government email addresses are generally public records and thus disclosable.

Individuals may request documents, emails, and other types of records by contacting public agencies and governments, including the City of Seattle.

Public disclosure laws were enacted in the interest of government transparency. They provide the public with a means of asking for government records and information that may affect them. Under this law, members of the public may request electronic and paper copies of most City records, with a few exceptions.

What steps should I take?

Because the City has worked with the recipient to confirm that the email was securely destroyed, the City does not believe that there are additional actions to take at this time.